Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method for mapping at least one physical system and at least one virtual system into at least two separate execution environments, comprising the steps of: discovering an implicitly enforced security policy in an environment comprising at least one physical system and at least one virtual system; using the discovered policy to create an enforceable isolation policy; and using the isolation policy to modify a deployment of one or more workloads in the at least one physical system and at least one virtual system to create at least two separate execution environments, wherein one or more steps of said method are performed by a processor.
The method automatically creates secure zones for physical and virtual systems. It first analyzes the existing setup to learn the current security rules being followed, even if they aren't formally defined. It then converts these learned rules into strict, enforceable policies to isolate different parts of the infrastructure. Finally, the method adjusts the placement of applications to fit within these newly created isolated environments, ensuring workloads are properly separated according to the enforced security policies. A processor performs these steps.
2. The method of claim 1 , wherein discovering an implicitly enforced security policy comprises processing at least one of one or more configuration files and system run-time information.
To discover the existing, informal security rules, the method analyzes system configurations and real-time system activity, including analyzing configuration files and system run-time information to understand how systems are currently interacting and what security measures are implicitly in place. This information helps build a picture of the current security posture.
3. The method of claim 1 , wherein using the discovered policy to create an enforceable isolation policy comprises creating a model of a workload network topology based on the discovered policy.
The method uses the discovered, informal security rules to create a strict isolation policy by building a model of how applications are connected on the network. This model, called a workload network topology, visualizes the dependencies and communication patterns between different applications based on the discovered security policy.
4. The method of claim 3 , wherein the workload network topology model is used to partition at least one of one or more virtual machines and one or more physical systems into one or more groups working on a common workload.
The workload network topology model, derived from the discovered policy, is used to separate virtual machines and physical systems into groups based on the workloads they handle together. This partitioning allows for the creation of distinct secure zones, isolating different workloads from one another based on the identified network topology.
5. The method of claim 1 , wherein discovering an implicitly enforced security policy comprises: considering one or more services being offered on a system and usage of the one or more services; and determining a behavior pattern of a workload that is distributed on a set of at least one of one or more virtual machines and one or more physical systems.
Discovering the existing security rules involves examining the services running on systems and how they are used. The method determines how workloads behave when spread across virtual machines and physical servers by observing their interaction with those services and identifying typical usage patterns that expose implicitly defined security rules.
6. The method of claim 1 , further comprising providing feedback on a behavioral effect of a change in security policy.
The method provides feedback on how changes to the security policy will affect system behavior. This helps administrators understand the consequences of modifying the security rules before implementing them, allowing for informed decision-making and preventing unintended disruptions of system operations.
7. The method of claim 1 , wherein in using the discovered policy to create an enforceable isolation policy, the policy is synthesized via at least one of an analysis engine, and performing a best-fit analysis of known good policies with analogous behavior.
The method creates strict isolation policies from the discovered rules using either an analysis engine, or by comparing the behavior to known good policies. An analysis engine automatically synthesizes the policy. Or, a best-fit analysis compares the discovered behavior to known, well-defined policies to find the most appropriate policy for enforcement.
8. The method of claim 1 , wherein the isolation policy comprises a white list, and wherein the white list explicitly defines all allowable accesses among one or more physical and virtual systems of an environment.
The isolation policy uses a whitelist approach, explicitly defining which accesses are allowed between physical and virtual systems. This whitelist ensures that only authorized communication and interactions are permitted, blocking any unauthorized or unexpected activity within the environment.
9. The method of claim 1 , further comprising using a verification mechanism to enable a user to check if the discovered policy meets one or more expected security objectives.
The method includes a verification mechanism that lets a user check if the discovered policy meets expected security goals. This allows users to confirm that the automatically discovered and generated security policies align with organizational security objectives and regulatory requirements.
10. The method of claim 1 , further comprising enabling a user to refine the isolation policy to meet one or more desired security objectives.
The method allows users to refine the isolation policy to meet specific security needs. This allows administrators to adjust the automatically generated policies to address specific vulnerabilities or to enforce stricter security measures based on their unique requirements and risk assessments.
11. The method of claim 1 , wherein using the discovered policy to create an enforceable isolation policy comprises providing system configuration information and observation to a central site for analysis, and wherein the central site computes a current security policy.
The method creates an enforceable isolation policy by sending system configuration information and activity logs to a central server. The central server analyzes this data and computes a current security policy, which is then enforced across the distributed systems based on the analysis of the central site.
12. The method of claim 1 , further comprising using an isolated domain algorithm to identify and isolate one or more systems that serve one or more different workloads, determine a set of utilized services (US) on each system, construct a dependency graph G(V,E) using a US set, find one or more different domain lists using a depth first search (dfs), remove one or more vertices from a domain list that are not reachable during an execution from a starting vertex via use of an observed access pattern of one or more systems, and detect one or more shared vertices which are members of multiple domain lists.
The method uses an algorithm to isolate systems by workload. It identifies and isolates systems running different workloads, determines the services each system uses, creates a dependency graph showing service relationships, finds different groups of related systems using a depth-first search, removes unreachable systems based on observed access patterns, and detects shared systems used by multiple workloads.
13. The method of claim 12 , wherein one or more services of the one or more shared vertices are examined to confine the multiple domain lists.
When systems are shared across multiple isolated groups, the method examines the services used by each system to further restrict the group memberships. The services are examined to confine the multiple domain lists, thus enforcing more rigorous isolation.
14. A method for generating a database of one or more isolation policies, comprising the steps of: discovering an implicitly enforced security policy in an environment comprising at least one physical system and at least one virtual system; using the discovered policy to create an enforceable isolation policy; using the isolation policy to modify a deployment of one or more workloads in the at least one physical system and at least one virtual system to create at least two separate execution environments; and storing each isolation policy in a searchable database, wherein one or more steps of said method are performed by a processor.
The method automatically creates secure zones and stores the security configuration. It learns the current security rules, even if informal, and converts them into strict, enforceable policies to isolate different parts of the infrastructure. It then adjusts application placement to fit these zones. Finally, each isolation policy is stored in a searchable database for later use. A processor performs these steps.
15. A computer program product comprising a non-transitory computer readable recordable storage medium having computer readable program code for mapping at least one physical system and at least one virtual system into at least two separate execution environments, said computer program product including: computer readable program code for discovering an implicitly enforced security policy in an environment comprising at least one physical system and at least one virtual system; computer readable program code for using the discovered policy to create an enforceable isolation policy; and computer readable program code for using the isolation policy to modify a deployment of one or more workloads in the at least one physical system and at least one virtual system to create at least two separate execution environments.
This is a software program that creates secure zones for physical and virtual machines. The program analyzes the current system to learn existing security rules, converts these rules into strict isolation policies, and then adjusts the placement of applications to fit within the zones.
16. The computer program product of claim 15 , wherein the computer readable code for using the discovered policy to create an enforceable isolation policy comprises creating a model of a workload network topology based on the discovered policy.
The software program, described in the previous claim, creates the strict isolation policy by building a model of how applications are connected on the network. This model, called a workload network topology, visualizes the dependencies and communication patterns between different applications based on the discovered security policy.
17. The computer program product of claim 15 , wherein computer readable code for using the discovered policy to create an enforceable isolation policy comprises synthesizing the policy via at least one of an analysis engine, and performing a best-fit analysis of known good policies with analogous behavior.
The software program, described in the previous claim, creates strict isolation policies from the discovered rules using either an analysis engine, or by comparing the behavior to known good policies. An analysis engine automatically synthesizes the policy. Or, a best-fit analysis compares the discovered behavior to known, well-defined policies to find the most appropriate policy for enforcement.
18. The computer program product of claim 15 , wherein the computer readable code for using the discovered policy to create an enforceable isolation policy comprises providing system configuration information and observation to a central site for analysis, and wherein the central site computes a current security policy.
The software program, described in the previous claim, creates an enforceable isolation policy by sending system configuration information and activity logs to a central server. The central server analyzes this data and computes a current security policy, which is then enforced across the distributed systems based on the analysis of the central site.
19. The computer program product of claim 15 , further comprising computer readable code for using an isolated domain algorithm to identify and isolate one or more systems that serve one or more different workloads, determine a set of utilized services (US) on each system, construct a dependency graph G(V,E) using a US set, find one or more different domain lists using a depth first search (dfs), remove one or more vertices from a domain list that are not reachable during an execution from a starting vertex via use of an observed access pattern of one or more systems, and detect one or more shared vertices which are members of multiple domain lists.
The software program, described in the previous claim, includes code that uses an algorithm to isolate systems by workload. It identifies and isolates systems running different workloads, determines the services each system uses, creates a dependency graph showing service relationships, finds different groups of related systems using a depth-first search, removes unreachable systems based on observed access patterns, and detects shared systems used by multiple workloads.
20. A computer program product comprising a non-transitory computer readable recordable storage medium having computer readable program code for generating a database of one or more isolation policies, said computer program product including: computer readable program code for discovering an implicitly enforced security policy in an environment comprising at least one physical system and at least one virtual system; computer readable program code for using the discovered policy to create an enforceable isolation policy; computer readable program code for using the isolation policy to modify a deployment of one or more workloads in the at least one physical system and at least one virtual system to create at least two separate execution environments; and computer readable program code for storing each isolation policy in a searchable database.
This is a software program for building a database of security configurations. It discovers existing security rules, even if informal, converts them into strict isolation policies, and adjusts application placement to fit secure zones. Each isolation policy is stored in a searchable database.
21. An apparatus for mapping at least one physical system and at least one virtual system into at least two separate execution environments, comprising: a memory; and at least one processor coupled to said memory and operative to: discover an implicitly enforced security policy in an environment comprising at least one physical system and at least one virtual system; use the discovered policy to create an enforceable isolation policy; and use the isolation policy to modify a deployment of one or more workloads in the at least one physical system and at least one virtual system to create at least two separate execution environments.
This device creates secure zones for physical and virtual systems. It includes memory and a processor that analyzes the current setup to learn the current security rules, converts these rules into strict, enforceable policies to isolate different parts of the infrastructure, and adjusts the placement of applications to fit these zones.
22. The apparatus of claim 21 , wherein the at least one processor coupled to said memory and operative to use the discovered policy to create an enforceable isolation policy is further operative to create a model of a workload network topology based on the discovered policy.
The device from the previous claim builds a model of how applications are connected on the network to create strict isolation policy. This model, called a workload network topology, visualizes the dependencies and communication patterns between different applications based on the discovered security policy.
23. The apparatus of claim 21 , wherein the at least one processor coupled to said memory and operative to use the discovered policy to create an enforceable isolation policy is further operative to synthesize the policy via at least one of an analysis engine, and performing a best-fit analysis of known good policies with analogous behavior.
The device from the previous claim creates strict isolation policies from the discovered rules using either an analysis engine, or by comparing the behavior to known good policies. An analysis engine automatically synthesizes the policy. Or, a best-fit analysis compares the discovered behavior to known, well-defined policies to find the most appropriate policy for enforcement.
24. The apparatus of claim 21 , wherein the at least one processor coupled to said memory and operative to use the discovered policy to create an enforceable isolation policy is further operative to provide system configuration information and observation to a central site for analysis, and wherein the central site computes a current security policy.
The device from the previous claim creates an enforceable isolation policy by sending system configuration information and activity logs to a central server. The central server analyzes this data and computes a current security policy, which is then enforced across the distributed systems based on the analysis of the central site.
25. The apparatus of claim 21 , further comprising at least one processor coupled to said memory operative to use an isolated domain algorithm to identify and isolate one or more systems that serve one or more different workloads, determine a set of utilized services (US) on each system, construct a dependency graph G(V,E) using a US set, find one or more different domain lists using a depth first search (dfs), remove one or more vertices from a domain list that are not reachable during an execution from a starting vertex via use of an observed access pattern of one or more systems, and detect one or more shared vertices which are members of multiple domain lists.
The device from the previous claim includes a processor configured to use an algorithm to isolate systems by workload. It identifies and isolates systems running different workloads, determines the services each system uses, creates a dependency graph showing service relationships, finds different groups of related systems using a depth-first search, removes unreachable systems based on observed access patterns, and detects shared systems used by multiple workloads.
Unknown
September 16, 2014
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.